- edited description
SSO key hijacking
Issue #230
resolved
You can simply save your client to an html file and upload it to a webserver with a domain (localhost is not tested).
You can just keep refreshing the client and the emulator will allow you to login again, this still works even if you delete your cookies or if you logout trough the CMS.
I looked at the source and discovered the the key was never reset after it's use in the emulator. https://bitbucket.org/Wesley12312/ar...e-view-default
As you can see on line 62 [HabboManager.java:62] the method checks if an account with the SSO key exists, if it does it allows the user to login.
The key is never reset after fetching the user.
Comments (3)
-
reporter -
repo owner - changed status to resolved
Fixed.
If hotel is in debugging mode it WILL NOT remove the SSO.
-
repo owner - removed version
Removing version: 1.0.10 (automated comment)
- Log in to comment